ARRL’s curious LOTW password problem
Today the ARRL published this notice about password problems popping up for some LOTW program users:
An upgrade to the password-checking mechanism that authenticates Logbook of The World (LoTW) users has caused log-in problems for some clients. Under the system in place prior to approximately 2300 UTC on September 19, the LoTW log-in system ignored the case of any characters in a password when checking for a match, storing them all as lower-case. The new system is case sensitive, however. While passwords once were randomly generated, the ARRL IT staff recently implemented a new LoTW password mechanism that lets users choose their own passwords. Under this new system, when users first log in, their passwords are encrypted. Some users with mixed-case passwords attempting to log in were rejected, however, because the system had stored their passwords as all lower case. A subsequent modification allows the system to accept a user’s mixed-case password and changes the stored password to the user’s mixed-case specification. The issue also can present problems for applications, such as logging programs, that employ a user’s credentials to access a LoTW account. Users who encounter trouble logging in to LoTW are being asked to enter their passwords in all lower case. If that doesn’t work, contact the LoTW Help Desk or explore other methods available for LoTW. Any LoTW users who logged in before this modification was made — at around 2300 UTC on September 19 — had their passwords stored in lower case, no matter which case they used in entering them. These passwords now must be entered as lower case. Users who changed to a password that includes mixed-case letters must continue to enter that password in mixed-case letters. ARRL apologizes for underestimating the extent to which the lack of password case sensitivity in the previous LoTW authentication mechanism was going to cause problems for so many users.
What is curious to me about the above is that I should have been affected, but wasn’t. My password perfectly fits within the description above. But My LOTW account is completely unaffected — business as usual. The ARRL’s explanation is somehow only partially correct. Hopefully the ARRL will tell us more if and when it gets a better handle on this problem.
In my opinion the way LOTW used to handle passwords was inexcusably inept. Glad it’s finally on the right track? Also, some time back the ARRL website was hacked. The ARRL belatedly announced the hack, but never really fully explained how the hack took place or how reoccurrences would be prevented. Its announcement just minimized the hack. Sometimes I think the ARRL, when it comes to 21st century technology, is still in the 20th century.